According to a December 2010 draft of the new guidance, regulators will be asking financial institutions to improve online security internally as well as for their consumer and commercial customers.

"The regulators' awareness of some of the threats is positive, and what they are trying to do on the business banking side is good," says former Bank of America executive David Shroyer, now a partner at risk assessment provider Fraud Red Team. Shroyer says the updates give banks more insight about online threats for which they need to prepare. "But the new guidance is not explicit about antivirus updates and patches, and that's important." he adds. "Financial institutions live and die by this guidance."

Shroyer, who oversaw identity, security and fraud-prevention initiatives at BofA, says banks need definitive guidelines, "and the way some of this is currently worded, it's not clear."

Shroyer reviewed a copy of the drafted guidance after it reportedly appeared on one of the FFIEC agencies' websites, and he says the draft does not delve into a number of concerning areas, including authentication for mobile and call-center banking, which both have proven susceptible to vishing scams.

Enhanced user-authentication techniques as well as explanations for improved device identification and protection;

Recommendations for improved customer and employee fraud awareness.

Banks More Accountable

One overarching theme evident in the draft's language is that more security burdens can be expected for banks and credit unions. In fact, it is likely that banking institutions, going forward, will be held more accountable if and when online security is breached.

The drafted guidance explicitly mentions vulnerabilities to small and medium business accounts, since fraudsters have figured out how to compromise those accounts for high returns in ACH and wire fraud. As part of banks' responsibility to educate commercial customers about fraud risks and security, the draft suggests financial institutions clearly explain protections that are and are not provided under Regulation E.

The draft also suggests institutions encourage their "commercial online banking customers (to) perform a related risk assessment and controls evaluation." Banks also are encouraged to provide commercial customers with suggestions for alternative risk-control mechanisms that could help reduce commercial-account risks.

Distinguished Gartner Analyst Avivah Litan says that acknowledgment of vulnerability for commercial customers is the best thing to come out of the draft. In a recent blog entry, Litan writes: "Business account holders will now have to be explicitly informed that the business holds the bag if their accounts are raided through online banking (unless the bank promises to cover such losses by means of binding contracts between the bank and its customers).

"At least this measure finally makes the rules of the game transparent and doesn't keep them buried in the fine print of long contractual agreements that many customers find hard to read. With the introduction of this measure, customers should not be so shocked when they are not reimbursed by their bank for often crippling losses."

Guidelines 'Spot-on?'

TowerGroup's George Tubin, who agrees regulators have not been vigilant when it comes to breach liability transparency, says the draft reflects moves in a promising direction. "I personally think the new requirements are spot-on, and the supplement is very well and clearly written," says Tubin, a senior research director in Delivery Channels and Financial Information Security research.

But former BofA executive Shroyer says the guidance is too vague. "One of the key things we're finding is that processes need to be reviewed," he says. "Banks must continue to implement control mechanisms that are in accordance with the risk of the transaction."

Shroyer says criminals are breaching control mechanisms through process gaps between siloed banking channels. "Cross-channel fraud is the new big threat facilitated by enhanced malware and open-source identity compromise," he says. "The guidance doesn't address that. And when different organizations have different goals, you end up with process overlaps that are conflicting. It would be great if the guidance would point more of that out."

2005 Guidance Was Clear

Regulators suggest many of those process gaps and overlaps resulted from banks' decisions to ignore recommendations clearly stated in the original 2005 authentication guidance. For example, from an authentication standpoint, three-factor authentication -- something the user knows, has and is -- could have prevented many online and cross-channel breaches, regulators say.

"I don't know of anyone who's actually following this by doing all three (factors)," says Ben Sady, manager of Risk Advisory Services for Keiter Stephens, a certified public accounting firm and consultancy. "Even with a symbol, that's something you know, so it's not true multifactor authentication, as the guidance intended. And most banks were only following this first one, something the user knows, trying to figure out if they really had to comply with one [factor] or all three."

Regulators have taken note of this noncompliance with multifactor measures. As the new draft states: "The Agencies are increasingly concerned that customer authentication methods implemented several years ago may no longer be effective." And from a risk assessment standpoint, regulators argue banking institutions were not doing enough to stay current.

Sady says most banks conduct audits to address risk only once every two years; at large banks, audits may occur annually. "Judgment is required on behalf of bank management, internal auditors and regulators to determine the best approach to security," he says. "This approach to provide guidance is meant to provide the flexibility and reduce the burden of compliance, where a square peg does not fit a round hole."

About the Author

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;